Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
edson2024
New Contributor

Created on ‎02-29-2024 06:01 AM

Dual stack in SSLVPN tunnel mode (Forticlient) and NAT when using IPv6

Hello, we are planning to implement dual stack for Forticlient SSLVPN users. (FortiOS 7.0.14, Forticlient 7.0.7 free version)

We are aware that when using dual stack the firewall policies MUST be configured with both IPv4 and IPv6 stacks.

We have an SSL pool of addresses for IPv4 and another SSL pool of addresses for IPv6. 

 

Questions:

1) - Does forticlient get both an IPv4 and an IPv6 when connected? (Dual stack enabled in Forticlient)

2)- Since NAT is required for IPv4 to work (in example: SSLVPN -> Internet ), how is IPv6 traffic handled?

     Do  you require to also use an IPv6 address in the outbound firewall rule to NAT the outgoing traffic?

 

Thanks

Labels:
387
0 Kudos
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Created on ‎03-03-2024 08:22 PM

Hello edson2024,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
349
Anthony_E
Community Manager
Community Manager

Created on ‎03-05-2024 11:23 PM

Hello edson2024,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
316
Anthony_E
Community Manager
Community Manager

Created on ‎03-11-2024 01:24 AM

Hello edson 2024,

 

Did you have a look at this document?:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/766455/dual-stack-ipv4-and-ipv6-supp...

 

Tell me if it helping. If not, we will continue to investigate.

 

Regards,

Anthony-Fortinet Community Team.
292
edson2024
New Contributor
In response to Anthony_E

Created on ‎03-11-2024 02:03 AM

Hi.. yes, i had a look into that document, it does not address the issue... We are not using (or planning to use)  the "Enabled based on policy destination" option, for us, Split tunneling is disabled and the policies will be source All destination All... 

 

thanks

280
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎03-11-2024 02:05 AM

Hello edson,

 

Oh ok! We will continue to have a look then.

 

Regards,

Anthony-Fortinet Community Team.
278
edson2024
New Contributor
In response to Anthony_E

Created on ‎03-20-2024 06:01 AM

hi, anything? ... it cannot be that complex

215
0 Kudos
btan
Staff
Staff

Created on ‎03-21-2024 01:52 AM

Hi edson2024,

1) Yes, FCT does get both ipv4 and ipv6 when dual stack enabled, albeit in FCT GUI it will only show ipv4 IP it gets.

 

2) As it is full tunnel, I'd reckon you will need to include ipv6 address in FW policy.

Regards,
Bon
199
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.